Introduce a new test scenario to simulate silent stack corruption: - silent_corruption_buggy(): exposes a local variable address globally without resetting it. - silent_corruption_unwitting(): reads the exposed pointer and modifies the memory, simulating a routine that unknowingly writes to another stack frame. - silent_corruption_victim(): demonstrates the effect of silent corruption on unrelated local variables. Signed-off-by: Jinchao Wang --- mm/kstackwatch/test.c | 96 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 95 insertions(+), 1 deletion(-) diff --git a/mm/kstackwatch/test.c b/mm/kstackwatch/test.c index ab1a3f92b5e8..2b196f72ffd7 100644 --- a/mm/kstackwatch/test.c +++ b/mm/kstackwatch/test.c @@ -20,6 +20,9 @@ static struct proc_dir_entry *test_proc; #define BUFFER_SIZE 4 #define MAX_DEPTH 6 +/* global variables for Silent corruption test */ +static u64 *g_corrupt_ptr; + /* * Test Case 0: Write to the canary position directly (Canary Test) * use a u64 buffer array to ensure the canary will be placed @@ -61,6 +64,92 @@ static void canary_test_overflow(void) pr_info("canary overflow test completed\n"); } +static void do_something(int min_ms, int max_ms) +{ + u32 rand; + + get_random_bytes(&rand, sizeof(rand)); + rand = min_ms + rand % (max_ms - min_ms + 1); + msleep(rand); +} + +static void silent_corruption_buggy(int i) +{ + u64 local_var; + + pr_info("starting %s\n", __func__); + + pr_info("%s %d local_var addr: 0x%lx\n", __func__, i, + (unsigned long)&local_var); + WRITE_ONCE(g_corrupt_ptr, &local_var); + + do_something(50, 150); + //buggy: return without resetting g_corrupt_ptr +} + +static void silent_corruption_victim(int i) +{ + u64 local_var; + + local_var = 0xdeadbeef; + pr_info("starting %s %dth\n", __func__, i); + pr_info("%s local_var addr: 0x%lx\n", __func__, + (unsigned long)&local_var); + + do_something(50, 150); + + if (local_var != 0) + pr_info("%s %d happy with 0x%llx\n", __func__, i, local_var); + else + pr_info("%s %d unhappy with 0x%llx\n", __func__, i, local_var); +} + +static int silent_corruption_unwitting(void *data) +{ + u64 *local_ptr; + + pr_info("starting %s\n", __func__); + + do { + local_ptr = READ_ONCE(g_corrupt_ptr); + do_something(500, 1000); + } while (!local_ptr); + + local_ptr[0] = 0; + + return 0; +} + +/* + * Test Case 2: Silent Corruption + * buggy() does not protect its local var correctly + * unwitting() simply does its intended work + * victim() is unaware know what happened + */ +static void silent_corruption_test(void) +{ + struct task_struct *unwitting; + + pr_info("starting %s\n", __func__); + WRITE_ONCE(g_corrupt_ptr, NULL); + + unwitting = kthread_run(silent_corruption_unwitting, NULL, "unwitting"); + if (IS_ERR(unwitting)) { + pr_err("failed to create thread2\n"); + return; + } + + silent_corruption_buggy(0); + + /* + * An iteration-based bug: The unwitting thread corrupts the victim's + * stack. In a twist of fate, the victim's subsequent repetitions ensure + * the corruption is contained, protecting the caller's stack. + */ + for (int i = 0; i < 20; i++) + silent_corruption_victim(i); +} + static ssize_t test_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *pos) { @@ -88,6 +177,10 @@ static ssize_t test_proc_write(struct file *file, const char __user *buffer, pr_info("triggering canary overflow test\n"); canary_test_overflow(); break; + case 2: + pr_info("triggering silent corruption test\n"); + silent_corruption_test(); + break; default: pr_err("Unknown test number %d\n", test_num); return -EINVAL; @@ -108,7 +201,8 @@ static ssize_t test_proc_read(struct file *file, char __user *buffer, "==================================\n" "Usage:\n" " echo 'test0' > /proc/kstackwatch_test - Canary write test\n" - " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n"; + " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n" + " echo 'test2' > /proc/kstackwatch_test - Silent corruption test\n"; return simple_read_from_buffer(buffer, count, pos, usage, strlen(usage)); -- 2.43.0